[Openswan Users] VPN Failover

[Robert Woodcock]

On Tuesday, February 05, Mehdi Sheikhalishahi wrote:
> I would like to know whether IPSec Tunnel, L2TP,  Phase1SA, Phase2SA,
> IPSec SA, and other stuffs related to VPN have the capability of
> failover mechanism. I mean in the situation which for example we have
> two VPN-Gateway, one of them which is master fails and we want to
> swith to the other one,....

I'm doing this using IPSec+GRE+OSPF. It adds a bit more overhead
(GRE encapsulation is another 24 bytes), but failover is automatic.

Since host<->host tunneling using opportunistic IPSec can make ssh'ing
into a remote router to fix it when the tunnel is down impossible
(AFAIK), I use net-to-net tunnels with /32 masks. This allows the two
routers to talk directly to each other over IPSec.

On top of that, I build the GRE tunnel using a /30 network (using the
openswan updown hooks). The GRE tunnel effectively defeats the SA
protection that controls what endpoints can communicate over the
tunnel, so design your firewalling rules with that in mind.

On top of that, I run Quagga's ospfd, publishing the internal networks
connected to each router.

Since this will likely introduce asymetrical routing into your network,
make sure your internal firewalling rules do not rely entirely on state
information and make sure that reverse path filtering isn't enabled.

I also set the GRE tunnel MTUs to 1426 or 1422 bytes to avoid sending
lots of fragmented ESP packets to the other endpoint - you may or may
not be able to do the same depending on the applications you run.

Some people have done the same thing using Cisco routers - Google for
IPSec+GRE+OSPF.